I have had the great pleasure of working with a Microsoft 365 Link for more than a week. I must say it is the most and least exiting thing in a long time.
Why it is both exiting and not? Because it just delivers! It just works straight off, boots fast to a sign in prompt to access my Windows 365 Cloud PC.
I used it for a couple of teams meetings during the week no one could guess I was using a Windows 365 Link – worked great!
It is quiet and fast it really delivers on its promise, not much to configure as I will show later in the post. A perfect work from home device or at my office, then I don’t have to carry a laptop anymore 😉
Logging on with my FIDO key is a smooth experience and is still the most practical way going forward.
There are two things I can think off for version 2 that is on my wish list:
- USB-C Power
- More than one USB-C port as it will have a long lifetime more USB-C ports would be a plus for the future.
What about what we can do with it in Intune.
Intune enrollment
We don’t have Autopilot support which gives us basically three options. With automatic enrollment enabled we have the following options.
-Enable personal enrollment – no thank you I will pass. As we still have the issue that users home computers can end up in Intune when logging in to Microsoft 365 apps for example.
-Device Identifiers makes it count as a corporate device, makes sense as that is where we are going with Autopilot device preparation
-DEM account, I thought I would never think of using that again but makes sense as it very well can be used as a shared device.
Computer naming – it will get “WCPCD” as the prefix and a random suffix, in my case – WCPCD-QHTCQOK2U. It can be renamed after enrollment is complete, but not during the process.
Device actions
Only a subset of device actions are available which makes total sense as the other features are not implemented in the Operating System.
Compliance policy
I did not change anything in my Compliance policies to make the Windows 365 Link compliance. All checks that are not supported on the Windows 365 Link reports back as “NotApplicable” as shown below. The overall compliance state is Compliant which makes it effortless to implement the Windows 365 Link
Configuration Profiles
I have deployed a couple of my configuration profiles to the Windows 365 Link, some works and some not, they are also reported back as not applicable. Certificates and SCEP is working as well as 802.1x network profile which is necessary for it to be able to connect to many corporate networks.
The whole list of supported CSP’s can be found here: Supported configuration service provider policies for Windows 365 Link | Microsoft Learn
Assignment filters
To clean up the configuration profiles that fails or is not applicable so we have correct statistics we can use a simple Assignment filter in Intune based on “device.operatingSystemSKU” which is “WCPC” as shown below.
In Entra we can use device.model to create a dynamic group as we still need them for some assignments.
(device.deviceModel -eq “Windows 365 Link”)
Defender for Endpoint
Then we have defender for endpoint left, onboarding the Windows 365 Link to EDR works in the same way as it does with any other Windows 11 device. One big difference is that malware protection is not running, it is scanned on a schedule instead. Which gives us the following warning in the Intune Portal that Malware protection is not running.
Security recommendations are the same as for a normal Windows 11, I wonder if we can configure those settings, that will be the next test to do.
Conclusion
I would be happy to use the Windows 365 Link as my primary device, works great. Some small things to fix in Intune with policies, Compliance policies and so on but in overall an extremely smooth experience to onboard it. It fits just perfect in a Windows shop if compare it to many other solutions for a think client running Linux. Same management tool, high security.
Biggest question we have, is where to get one.. Did you get it direct somehow, or had to go through a partner?